111 posts categorized "Forensics & Deep Packet Capture" Feed

I need a TAP for Total Visibility, what do I need to know? (by Derek Burke)

 I need a TAP, what do I need to know?

Deciding which TAP to purchase

Network TAPs (Test Access Points) are the absolute best way to gain access to network traffic, whether that be for network visibility solutions, network monitoring infrastructure, or network security auditing.  It is common at a certain point in an organization’s growth for it to be recognized that mirror ports and SPAN (Switch Port ANalyzer) ports, due to their many limitations, are no longer sufficient to provide traffic to monitoring and or security tools. When it comes time to begin building a TAP infrastructure there are several details to consider. Some are simple and obvious, and others may be subtler and more nuanced. This article is intended to be a primer on the main points to consider when searching for Network TAPs for your environment. The information contained herein applies primarily to Cubro Network Visibility TAPs as these are the products I have the most first-hand knowledge of.

Media Type and Connector Type

The first consideration for which TAP is best suited to environment is a fairly obvious one: Which media type do you intend to tap? Really, this is the difference between an electrical connection or a fiberoptic connection. On the electrical side we generally are talking about UTP (or perhaps STP cabling; it makes no difference for our purposes), although the use of DAC (Direct Attach Cabling) is relatively common as well. Fiberoptic cabling can be broken down into Single-Mode and Multi-Mode fiber and Multi-Mode fiber presents two possible core diameters to choose from.

Each of these media types will in turn necessitate a connector type on the TAP as well; fiber, again, having the most options. First let’s address electrical connections and specifically UTP as it is the most common electrical media that a TAP will be used with. The category of UTP cabling doesn’t really impact the decision of which TAP we will choose but would, of course, impact supported speeds and cable length. The speed of the link is a differentiating factor though.  Although it is not terribly common to encounter 10/100 links anymore it is important to point out that it is possible to have a completely passive electrical TAP (that requires power only for the monitor ports) at this speed. If you have 10/100 links in your environment the questions are whether it is more important to have a passive TAP that will not support 1G speeds or whether the option of upgrading the links without needing to replace the TAPs takes precedence.

10/100/1000 links are quite straightforward; you only have one choice. It is not possible to build a completely passive TAP for gigabit Ethernet over UTP; until now the industry approach has been to use relays to provide a fail-safe solution. This approach has not been problem-free though and instances where a link does not come back up or renegotiating a link after a failure takes an excessively long time are not rare. When I said you only had one choice earlier that is only partially true; in response to the number of issues with relay-based TAPs Cubro has designed a new type of 10/100/1000 TAP to drastically reduce these issues; adding a new, more reliable option to the mix.  

Continue reading "I need a TAP for Total Visibility, what do I need to know? (by Derek Burke)" »

LMTV Live | Modern Attack Vectors – A Compounded Headache (with Andrew Vladimirov)

EVENT START TIME: 9:30 AM PST - Wednesday, September 5th, 2018

This week we will be talking with Andrew Vladimirov of Arhont Information Security, about the new tricks hackers are using to get their hands on your data and do other nasty things.

Before you implement counter information security measures, do you know what you are protecting against? Do you understand the actual risks your business faces and the attacker strategies that are used?

Determined and skilled hackers employ a combination of social engineering and technical (client/server/application/database/all 7 OSI layers network) attack means which interchange subject to how events unfold and where the next available gap can be found. Until you fully understand how an attacker approaches work in combination of these methods and how these create compounded risks, you will continue building virtual Maginot lines and gasping at being outflanked yet another time. 

In this LMTV session we will discuss the how hackers combining social engineering and technical attacks, make the most devastating and difficult to protect against today.  We will suggest ways you should start planning against these.

Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)

Now almost all the streams we analyze are encrypted, how can we see what's inside those pesky SSL/TLS packets. Here's one way.


In the previous video in this series we saw how web logs provide an abundance of information; just the sort of stuff we need to take a performance problem to a developer.  And now we can analyze web logs with Wireshark.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)" »

Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)

Wireshark's new TRANSUM plugin provides a great way to identify slow web site and web service transactions, but there's a problem.  More often than not, web traffic is carried in SSL (TLS) encrypted messages, and so, although we can see slow response times, we can't see the detail.  To prove the cause of a slow response time, ideally we want to see the URI, query strings and, in the case of a web service request, the SOAP Action value.


If we are very lucky, we may be able to get a copy of the private SSL keys and use Wireshark to decrypt the traffic, but what if that's not possible.  The good news is that web logs have much of the information we need, and we can combine this with Wireshark network traces to get a more complete picture.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)" »

Using NetworkMiner with a Windows netsh trace File (by Paul Offord)

Before analyzing a network packet trace file, I try to make sure that I've collected information about IP addresses and TCP/UDP port numbers.  Even so, I still find that I don't have all the information I need.  There are techniques you can use to get the missing information - check NBNS host announcements, explore the names resolved by DNS - but it's all just more hassle.


Recently I noticed a bit of a buzz around NetworkMiner, so I thought I'd check it out.  What I found was a simple tool that does just what I need; extract useful host and service information from Wireshark traces.  We now analyze a fair number of traces captured with Windows netsh trace, so I thought I'd look at how we can use NetworkMiner with these Windows-native trace files.

In this video ...

Continue reading "Using NetworkMiner with a Windows netsh trace File (by Paul Offord)" »